New Mac Malware Found OSX/KitM.A

Security company F-Secure is reporting on a new malware that targets Macs, specifically OSX. The name for this malware is OSX/KitM.A. So far, it appears to be a backdoor application that attempts to take screenshots of your system, then upload them to remote servers. The app is called Mac.apps, and when installed, the application is appended to the current Mac user’s log-in items so it runs whenever the affected user account is logged in. It then takes regular screenshots that it places in a visible folder in the user’s home directory called MacApp. It then tries to upload them to the URLs “securitytable.org” and “docsforum.info,” which either are not working or are issuing “public access forbidden” error messages.

It is also unique in that it is signed with what appears to be a valid Apple Developer ID associated with the name Rajender Kumar. The use of the ID appears to be an attempt to bypass Apple’s Gatekeeper execution prevention technology.

Managing this malware for now involves simply checking one’s log-in items (select your username in the Users & Groups system preferences and click the Login Items tab) and removing the macs.app program if present to prevent it from being launched when you log in. Locating and removing the macs.app program file from your computer is also advised; this could be in the Downloads folder, the home directory, or in the Applications folder at the root of the drive.